Professional Documents
Culture Documents
©2022. All rights reserved. Risk Crew is a trading name of Risk Factory Limited is registered in England and Wales. ISOGU240822
The Breakdown
ISO 27001:2013 is broken down into two key areas: the 4-10 clauses, which define the
governance aspects, and the Annex A controls which, when implemented, will define how you
manage risk. Clauses 4 to 10 are a mandatory part of your Information Security Management
System (ISMS), you will also need the appropriate supporting documents and records. The Annex
A controls are optional (although most will apply), you will need the appropriate policies and the
evidence that the controls selected are effective.
Information Security Managers need to understand how the standard is structured and how the
clauses and controls are organised. With each clause and subclause, there are a set of guidelines
to be followed to achieve compliance. It is important to be attentive to the requirements in terms
of processes, activities and documents.
This checklist is designed to be used as a benchmarking tool to enable you to understand how
close (or far) your current suite of documents aligns with ISO 27001. It’s also helpful for
conducting a gap analysis, responding to customer security questionnaires, or conducting
management reviews of your ISMS.
If your company is intending to gain ISO 27001 certification, these are the required processes,
documents, and policies that need to be included or created to deliver a compliant system.
Operational documents to be used by the security team and key risk stakeholders include:
©2022. All rights reserved. Risk Crew is a trading name of Risk Factory Limited is registered in England and Wales. ISOGU240822
7.2 Evidence of Competence
5.5.1 Documented Information Determined as Being Necessary for the Effectiveness of the ISMS
10.1 Evidence of the Nature of the Non-Conformities and Any Subsequent Actions Taken
The Policies
In addition, the following policy documents should be in place. Each policy applies to either all
staff or specific functions, i.e. IT, HR, Facilities etc.
Clause Policy
©2022. All rights reserved. Risk Crew is a trading name of Risk Factory Limited is registered in England and Wales. ISOGU240822
A.8.3.1 Media Management
A.11.2.1 Equipment
A.12.2.1 Antivirus
A.12.3.1 Backups
©2022. All rights reserved. Risk Crew is a trading name of Risk Factory Limited is registered in England and Wales. ISOGU240822
Organisation. For example, if you are a software developer you would be expected to have a
comprehensive documented Software Development Life Cycle (SDLC) procedure.
Records are another important consideration. The operational procedures and policies will need
to generate a variety of outputs to demonstrate that they are working and delivering security
and business benefits.
Additional Recommendations
1. Keep policies as simple as possible so that staff can understand and follow them. Each
policy should have a succinct:
• Policy Statement – This should simply state within ‘what we need to do’
• Policy Objective – Will concisely explain ‘why we need to do it’
2. Create an easy to navigate document hierarchy. For small/medium organisations, Risk Crew
recommends the following:
• ISMS Manual – Containing all operational processes/requirements
• Risk Assessment Spreadsheet – Containing the Asset Inventory, Risk Assessment,
Risk Treatment Plan and Statement of Applicability
• Acceptable Use Policy – Containing all policies that apply to all staff
• IT Security Policy – Containing all policies applicable to the IT Department
• HR Security Policy – Containing all policies applicable to the HR Department
• Information Security Manager Policy – Containing all policies applicable to the
management of security
3. If you adopt the above hierarchy method…that will cover all your mandated policies and
procedures covered within six documents. Here are more tips to keep in mind:
• Writing Techniques – Policies should be written to align with the culture of the
company. Try to avoid making them too academic or technical. Give specific
company examples to help bring them to life.
• Communication – You now have developed a fully compliant suite of security
policies…great. But they are virtually worthless if they are not communicated
to staff.
• Enforcement – You now need to ensure that staff are adhering to the policies.
One method to consider is appointing departmental ‘policy champions’ whose
role is to monitor and educate staff within their area.
©2022. All rights reserved. Risk Crew is a trading name of Risk Factory Limited is registered in England and Wales. ISOGU240822
How Risk Crew Can Help
Writing and assembling the required documentation can be a gruelling task but it doesn’t have
to be. Risk Crew consultants can support you with all your ISO 27001 requirements to help you
achieve certification. Risk Crew has been delivering ISO consultancy services for over 30
combined years. Our experts are working practitioners that use their knowledge to accelerate
your compliance with the standard.
Four services are available – providing you with flexible options to get ISO 27001 working for
your organisation. You get the exact amount of expertise and assistance you need to help you
meet your compliance objectives. Nothing more, nothing less.
Risk Crew also provides Security Penetration Testing, we can be your partner in helping you gain
ISO compliance and help you stay compliant.
Learn what additional Get a mini-gap Find out how Risk Crew
steps it would take for assessment and advice can help your
your organisation to from an ISO 27001 organisation achieve
reach compliance with expert. Schedule a call or compliance. Choose
this online tool. online meeting today. from 4 service options to
meet your needs.
©2022. All rights reserved. Risk Crew is a trading name of Risk Factory Limited is registered in England and Wales. ISOGU240822
Let our experts help you
stay achieve & accelerate
your ISO 27001 Certification.
Shelter from
the Storm
Contact us for more information
©2022. All rights reserved. Risk Crew is a trading name of Risk Factory Limited is registered in England and Wales. ISOGU240822
©2022. All rights reserved. Risk Crew is a trading name of Risk Factory Limited is registered in England and Wales. ISOGU240822